Does TEM support find out relationships between hosts?

(imported topic written by SystemAdmin)

As to management purpose, a network topology is very helpful to manage assets in a scope.

I can see those hosts as list in TEM console that have installed client.

However, there is no information/attribute to indicate if there are dependency/transaction relationships among the hosts.

Is there anybody could share experience on it? am I missing something to find out the details?



(imported comment written by liuhoting)

Are you talking about the relationship between VM hosts (like ESX or HyperV) and the guests that run on that host? If so, there’s actually a dashboard we developed that’s in the BES Inventory and License site that should help highlight the relationship between hosts and guests.

I think it’s called the Server Hypervisor Visibility Integration dashboard.

(imported comment written by SystemAdmin)

Relationship between VM hosts and the guests is one of the relationships for sole host, it is simple to find out like as software installed on the host. What I means if there is infomation between hosts can be found such as transaction/call relationships. Then a topology including all hosts that support business application can be shown for administrator.

Thank you very much for your response.


(imported comment written by SystemAdmin)

This topic of relationships has come up a number of times over the years. Understanding that the present TEM architecture doesn’t support relationships, it would still be worthwhile adding (or re-adding) this to the feature request list.

The rather crude way to do this today is cobbling together flags, runascurrentuser, batch/powershell scripts, etc. that reach out to other machines with which the current machine has a relationship in order to determine status. Ultimately, the ability of TEM to ask questions of other agented machines (similar to Powershell remoting) and the ability to group and query a set of machines based on relevance criteria would be huge.

Scenarios in which this would be useful:

  • Machine A needs to finish before machine B or C can run/reboot/etc.
  • Machine D needs to wait until A, B, and C are done before it continues.
  • When condition X exists on machine A, then take action Y on machines B, C, and D.
  • Use action or analysis result output from machine A as input parameter on machines B and C.
  • Show action or analysis result as true when the result is consistent across machines A, B, and C.

Security has been the sticking point so far. Obviously care would need to be taken in implementing such functionality. To that end, I’d propose some controls for “TEM remoting” as a conversation starter:

  • TEM remoting would be off by default.
  • A specific list of machines or groups would need to be specifically allowed to make remote inquiries.
  • Leverage the PKI infrastructure from local user management to sign and validate the remote request. Bonus for the option to encrypt the response.
  • Have a “relationship” group (normal group + specific remote permissions of each group member + unique authorizing certificate/key + operator, TEM role, and/or AD/LDAP account/group authorized to leverage the relationship).
  • Permit targeting of “relationship” groups with actions/baselines/policy actions.

(imported comment written by BenKus)

Hey Jon,

Our services team built a simple tool that can coordinate actions amongst systems using the APIs… Email me and I can give you more info (and maybe we can release it in BigFix Labs).


(imported comment written by SystemAdmin)


This is an interesting topic. As you mentioned, present TEM architecture doesn’t support relationships. To support collaboration work between hosts for some sequence actions, or dependency analysis for operation decision, information of relationship is important in these scenario.

So I developed an plugin report to analyze the relationships between hosts. Besides retrieve relationships between hosts, it provides a graph layout to drill down details for the relations. I have attached a snapshot for the toolkit that has been integrated in a TEM Demo system. However, I think there are more works need to follow up to support all scenarios in you proposal.


(imported comment written by SystemAdmin)

Hi Bo,

Thanks for sharing. That is an interesting step. It seems that you are approaching it more from a reporting/console perspective. That angle is useful for some things. What I was primarily interested in was a direct way for one agent or relay to do relevance or run an actionscript against a remote machine, then, based on the remote response, take local action.

The key piece that was missing until recently was a strong security mechanism to ensure that nothing rogue would transpire in agent-to-agent communication. The OpenSSL engine has been introduced with Local User Management and has now been leveraged for MDM among other things. Having unique keys on the agent, solves the previous security limitation. One agent could pass a request incorporating the unique TEM site signature, sender name, sender computer ID, and signed by the requesting agent’s private RSA key. The target agent could authenticate the request by comparing the sender’s name, TEM site signature, and validating the signature of the sender (a web service query using the sender computer ID to web reports to do a lookup of the senders public key if it isn’t already cached locally).

Some of the functionality already exists, it just isn’t all tied together yet. The Fixlet Debugger allows the content to be evaluated by the local agent. Instead of the local agent, let’s just target a remote agent with a PKI-signed request. Existing relevance and actionscripts could be extended by specifying the target (default or no arguement would continue to be local host).

If such functionality was in place, it would open up a whole new world of business process automation.


(imported comment written by SystemAdmin)

hi Jon,

I had similar idea to query information directly from (BES) agent on remote host with api. However, it didn’t work even the relevence can runs on local client as you mentioned. I think there is develop api for client but not publish outside.

Alternate, BES server could be a message transfer between hosts but with delay. And this might be more security with central management.

I think it needs a balance between performance and capability, if client agent perform more analysis and communication with other agents, the more resources are required on host.

So I still follow existing BES framework to collect information with client, and analysis with data on BES server to mining relationships. But I have to say, make agents more intelligent for negotiation automatically is always exciting in AI.